@gnomondigital/nebulas-kit-core 0.4.1 → 0.5.1

package/README.md

@@ -12,7 +12,8 @@ npm install @gnomondigital/nebulas-kit-core
 
 | Import path | Use |
 |-------------|-----|
-| `@gnomondigital/nebulas-kit-core` | Full API (Next.js, Express, proxy handlers). |
+| `@gnomondigital/nebulas-kit-core` | Framework-agnostic API (clients, shared handlers/types). |
+| `@gnomondigital/nebulas-kit-core/nextjs` | Next.js route handlers and helpers (`next/server` based). |
 | `@gnomondigital/nebulas-kit-core/client` | Browser-only: `sendMessageStream`, Nebulas client, types. **Use from React/Vite** so `next/server` is never bundled. |
 | `@gnomondigital/nebulas-kit-core/express` | Express router only; no Next.js. |
 
@@ -23,14 +24,24 @@ npm install @gnomondigital/nebulas-kit-core
 | Variable | Required | Description |
 |----------|----------|-------------|
 | `A2A_URL` | Yes | A2A agent base URL |
-| `A2A_AUTH_STRATEGY` | Yes | `session` \| `client_credentials` \| `resource_owner_password` \| `api_key_only` |
-| `A2A_API_KEY` | For api_key_only, or fallback | x-api-key header |
+| `A2A_AUTH_STRATEGY` | Yes | `session` \| `client_credentials` \| `resource_owner_password` |
+| `A2A_API_KEY` | Optional fallback | x-api-key header |
 | `AUTH0_DOMAIN` | For Auth0 strategies | Auth0 tenant domain |
 | `AUTH0_CLIENT_ID` | For client_credentials, ROP | Auth0 client ID |
 | `AUTH0_CLIENT_SECRET` | For client_credentials, ROP | Auth0 client secret |
 | `AUTH0_A2A_AUDIENCE` | For Auth0 strategies | API audience |
 | `AUTH0_ROP_USERNAME` | For env ROP (`createA2AProxyHandlerFromEnvROP`) | Service user username (server secret) |
 | `AUTH0_ROP_PASSWORD` | For env ROP | Service user password (server secret) |
+| `AUTH_PROVIDER` | For env service auth | `auth0` \| `entra` |
+| `ENTRA_TENANT_ID` | For Entra service auth | Entra tenant ID |
+| `ENTRA_CLIENT_ID` | For Entra service auth | Entra app/client ID |
+| `ENTRA_CLIENT_SECRET` | Optional for Entra service auth | Secret (if not using certificate) |
+| `ENTRA_CLIENT_CERTIFICATE` / `_PATH` | Optional for Entra service auth | PEM certificate (inline or file path) |
+| `ENTRA_CLIENT_PRIVATE_KEY` / `_PATH` | Optional for Entra service auth | PEM private key (inline or file path) |
+| `ENTRA_A2A_SCOPE` | For Entra service auth | Scope for app/service token request (often `api://<app-id>/.default`) |
+| `ENTRA_OBO_SCOPE` | For Entra OBO/session auth | Delegated downstream API scope for OBO (for example `api://<app-id>/user_impersonation`) |
+| `ENTRA_OBO_CLIENT_ID` | For Entra OBO/session auth | client requesting OBO(upstream API) |
+| `ENTRA_OBO_CLIENT_SECRET` | For Entra OBO/session auth | |
 | `NEBULAS_API_URL` | For Nebulas | Conversation API base URL |
 | `NEBULAS_API_KEY` | For Nebulas proxy | x-api-key fallback when no session token |
 | `NEBULAS_PROJECT_ID` | For Nebulas | Project ID |
@@ -39,8 +50,8 @@ npm install @gnomondigital/nebulas-kit-core
 
 | Mode | When to use | Exports |
 |------|-------------|---------|
-| **Auth0 session** | User signs in with `@auth0/nextjs-auth0`; access token for `AUTH0_A2A_AUDIENCE` comes from the session. | `createA2AProxyHandler`, `createGetHeadersForAuth0`, `handleA2AAuthNextJsPOST` (body ROP, optional) |
-| **Env ROP** | No browser Auth0; a fixed **service user** in env performs Resource Owner Password; token is cached per process. | `createA2AProxyHandlerFromEnvROP`, `createGetHeadersFromEnvROP`, `getCachedAccessTokenFromEnvROP` |
+| **Auth0 session** | User signs in with `@auth0/nextjs-auth0`; access token for `AUTH0_A2A_AUDIENCE` comes from the session. | `createA2AProxyHandler`, `createGetHeadersForSession` |
+| **Env service auth** | No browser session; uses Auth0 ROP service user (`AUTH_PROVIDER=auth0`) or Entra client credentials (`AUTH_PROVIDER=entra`, secret or certificate). Token is cached per process. | `createA2AProxyHandlerFromEnvService`, `createGetHeadersFromEnvService`, `getCachedAccessTokenFromEnvService` |
 
 Env ROP example:
 
@@ -58,10 +69,10 @@ export const POST = createA2AProxyHandlerFromEnvROP({
 import type { NextRequest } from "next/server";
 import {
   handleA2AConfigNextJsGET,
-  createGetHeadersFromEnvROP,
-} from "@gnomondigital/nebulas-kit-core";
+  createGetHeadersFromEnvService,
+} from "@gnomondigital/nebulas-kit-core/nextjs";
 
-const getHeaders = createGetHeadersFromEnvROP({
+const getHeaders = createGetHeadersFromEnvService({
   apiKey: process.env.A2A_API_KEY,
 });
 
@@ -94,25 +105,16 @@ const content = await sendMessageStream(
 
 ```ts
 // app/api/a2a/route.ts
-import { handleA2ANextJsPOST } from "@nebulas-kit/core";
+import { handleA2ANextJsPOST } from "@gnomondigital/nebulas-kit-core/nextjs";
 
 export async function POST(req: NextRequest) {
   return handleA2ANextJsPOST(req);
 }
 ```
 
-```ts
-// app/api/a2a/auth/route.ts
-import { handleA2AAuthNextJsPOST } from "@gnomondigital/nebulas-kit-core";
-
-export async function POST(req: NextRequest) {
-  return handleA2AAuthNextJsPOST(req);
-}
-```
-
 ```ts
 // app/api/a2a/config/route.ts
-import { handleA2AConfigNextJsGET } from "@gnomondigital/nebulas-kit-core";
+import { handleA2AConfigNextJsGET } from "@gnomondigital/nebulas-kit-core/nextjs";
 
 export async function GET() {
   return handleA2AConfigNextJsGET();
@@ -121,7 +123,7 @@ export async function GET() {
 
 ```ts
 // app/api/nebulas/[...path]/route.ts - proxies to Nebulas API (conversations, chat_messages)
-import { createNebulasProxyHandler } from "@gnomondigital/nebulas-kit-core";
+import { createNebulasProxyHandler } from "@gnomondigital/nebulas-kit-core/nextjs";
 import { auth0 } from "@/lib/auth";
 
 const handler = createNebulasProxyHandler({

package/dist/index.d.ts

@@ -8,10 +8,9 @@ export { transformUtcDatesToLocal, } from "./utils/date-timezone.js";
 export type { ChatMessage, ChatMessagePayload, SendMessageStreamOptions } from "./types.js";
 export { handleA2AProxy, type ProxyRequest, type ProxyResponse, type ProxyHandlerOptions, } from "./server/proxy-handler.js";
 export { getAuthStrategy, getAuthHeaders, type AuthStrategy, } from "./server/auth-strategies.js";
-export { exchangePasswordForToken, type ROPAuthRequest, type ROPAuthResponse, } from "./server/auth-handler.js";
 export { createConfigResponse, type ConfigResponse, type AgentCard, type AgentCardCapabilities, } from "./server/config-handler.js";
 export { createA2AExpressRouter, type A2AExpressRouterOptions, } from "./server/express.js";
-export { handleA2ANextJsPOST, handleA2AAuthNextJsPOST, handleA2AConfigNextJsGET, createGetHeadersForAuth0, createGetHeadersFromEnvROP, createA2AProxyHandler, createA2AProxyHandlerFromEnvROP, createNebulasProxyHandler, type HandleA2AConfigOptions, type Auth0ClientInterface, type CreateA2AProxyHandlerOptions, type CreateA2AProxyHandlerFromEnvROPOptions, type CreateGetHeadersFromEnvROPOptions, type CreateNebulasProxyHandlerOptions, } from "./server/nextjs.js";
-export { getCachedAccessTokenFromEnvROP } from "./server/env-rop-token.js";
+export { configureNebulasServer, getNebulasServerConfig, type NebulasServerRuntimeConfig, } from "./server/runtime-config.js";
+export { getCachedAccessTokenFromEnvService, } from "./server/env-service-token.js";
 export { handleNebulasProxy, isRefreshTokenInvalid, type NebulasProxyRequest, type NebulasProxyResponse, type NebulasProxyHandlerOptions, } from "./server/nebulas-proxy-handler.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,GAC1B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,wBAAwB,GACzB,MAAM,0BAA0B,CAAC;AAElC,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAE5F,OAAO,EACL,cAAc,EACd,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,mBAAmB,GACzB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,eAAe,EACf,cAAc,EACd,KAAK,YAAY,GAClB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,wBAAwB,EACxB,KAAK,cAAc,EACnB,KAAK,eAAe,GACrB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,oBAAoB,EACpB,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,qBAAqB,GAC3B,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,mBAAmB,EACnB,uBAAuB,EACvB,wBAAwB,EACxB,wBAAwB,EACxB,0BAA0B,EAC1B,qBAAqB,EACrB,+BAA+B,EAC/B,yBAAyB,EACzB,KAAK,sBAAsB,EAC3B,KAAK,oBAAoB,EACzB,KAAK,4BAA4B,EACjC,KAAK,sCAAsC,EAC3C,KAAK,iCAAiC,EACtC,KAAK,gCAAgC,GACtC,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,8BAA8B,EAAE,MAAM,2BAA2B,CAAC;AAE3E,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,0BAA0B,GAChC,MAAM,mCAAmC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,GAC1B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,wBAAwB,GACzB,MAAM,0BAA0B,CAAC;AAElC,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAE5F,OAAO,EACL,cAAc,EACd,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,mBAAmB,GACzB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,eAAe,EACf,cAAc,EACd,KAAK,YAAY,GAClB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EACL,oBAAoB,EACpB,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,qBAAqB,GAC3B,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EACtB,KAAK,0BAA0B,GAChC,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,kCAAkC,GACnC,MAAM,+BAA+B,CAAC;AAEvC,OAAO,EACL,kBAAkB,EAClB,qBAAqB,EACrB,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EACzB,KAAK,0BAA0B,GAChC,MAAM,mCAAmC,CAAC"}

package/dist/index.js

@@ -7,10 +7,8 @@ export { createNebulasClient, nebulasClient, } from "./nebulas-client.js";
 export { transformUtcDatesToLocal, } from "./utils/date-timezone.js";
 export { handleA2AProxy, } from "./server/proxy-handler.js";
 export { getAuthStrategy, getAuthHeaders, } from "./server/auth-strategies.js";
-export { exchangePasswordForToken, } from "./server/auth-handler.js";
 export { createConfigResponse, } from "./server/config-handler.js";
 export { createA2AExpressRouter, } from "./server/express.js";
-// Express-only apps: import from "@gnomondigital/nebulas-kit-core/express" to avoid loading Next.js.
-export { handleA2ANextJsPOST, handleA2AAuthNextJsPOST, handleA2AConfigNextJsGET, createGetHeadersForAuth0, createGetHeadersFromEnvROP, createA2AProxyHandler, createA2AProxyHandlerFromEnvROP, createNebulasProxyHandler, } from "./server/nextjs.js";
-export { getCachedAccessTokenFromEnvROP } from "./server/env-rop-token.js";
+export { configureNebulasServer, getNebulasServerConfig, } from "./server/runtime-config.js";
+export { getCachedAccessTokenFromEnvService, } from "./server/env-service-token.js";
 export { handleNebulasProxy, isRefreshTokenInvalid, } from "./server/nebulas-proxy-handler.js";

package/dist/nextjs-api.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Next.js-only entry: avoids coupling the main package barrel to `next/server`.
+ */
+export { handleA2ANextJsPOST, handleA2AConfigNextJsGET, createGetHeadersForSession, createGetHeadersROP as createGetHeadersFromEnvService, createA2AProxyHandler, createA2AProxyHandlerFromEnvService, createNebulasProxyHandler, type HandleA2AConfigOptions, type SessionAuthClientInterface, type CreateA2AProxyHandlerOptions, type CreateA2AProxyHandlerFromEnvServiceOptions, type CreateGetHeadersROPOptions as CreateGetHeadersFromEnvServiceOptions, type CreateNebulasProxyHandlerOptions, } from "./server/nextjs.js";
+//# sourceMappingURL=nextjs-api.d.ts.map

package/dist/nextjs-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs-api.d.ts","sourceRoot":"","sources":["../src/nextjs-api.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EACL,mBAAmB,EACnB,wBAAwB,EACxB,0BAA0B,EAC1B,mBAAmB,IAAI,8BAA8B,EACrD,qBAAqB,EACrB,mCAAmC,EACnC,yBAAyB,EACzB,KAAK,sBAAsB,EAC3B,KAAK,0BAA0B,EAC/B,KAAK,4BAA4B,EACjC,KAAK,0CAA0C,EAC/C,KAAK,0BAA0B,IAAI,qCAAqC,EACxE,KAAK,gCAAgC,GACtC,MAAM,oBAAoB,CAAC"}

package/dist/nextjs-api.js

@@ -0,0 +1,4 @@
+/**
+ * Next.js-only entry: avoids coupling the main package barrel to `next/server`.
+ */
+export { handleA2ANextJsPOST, handleA2AConfigNextJsGET, createGetHeadersForSession, createGetHeadersROP as createGetHeadersFromEnvService, createA2AProxyHandler, createA2AProxyHandlerFromEnvService, createNebulasProxyHandler, } from "./server/nextjs.js";

package/dist/server/auth-handler.d.ts

@@ -1,17 +1,2 @@
-/**
- * Auth handler for Resource Owner Password flow.
- * Exchanges username/password for Auth0 token.
- */
-export interface ROPAuthRequest {
-    username: string;
-    password: string;
-}
-export interface ROPAuthResponse {
-    access_token: string;
-    expires_in?: number;
-}
-/**
- * Exchange username/password for Auth0 access token.
- */
-export declare function exchangePasswordForToken(username: string, password: string): Promise<ROPAuthResponse>;
+export { exchangePasswordForToken, type ROPAuthRequest, type ROPAuthResponse, } from "./auth0/auth-handler.js";
 //# sourceMappingURL=auth-handler.d.ts.map

package/dist/server/auth-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../../src/server/auth-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CA+B1B"}
+{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../../src/server/auth-handler.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,wBAAwB,EACxB,KAAK,cAAc,EACnB,KAAK,eAAe,GACrB,MAAM,yBAAyB,CAAC"}

package/dist/server/auth-handler.js

@@ -1,35 +1 @@
-/**
- * Auth handler for Resource Owner Password flow.
- * Exchanges username/password for Auth0 token.
- */
-/**
- * Exchange username/password for Auth0 access token.
- */
-export async function exchangePasswordForToken(username, password) {
-    const domain = process.env.AUTH0_DOMAIN;
-    const clientId = process.env.AUTH0_CLIENT_ID;
-    const clientSecret = process.env.AUTH0_CLIENT_SECRET;
-    const audience = process.env.AUTH0_A2A_AUDIENCE;
-    if (!domain || !clientId || !clientSecret) {
-        throw new Error("AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET required for ROP");
-    }
-    const body = new URLSearchParams({
-        grant_type: "password",
-        username,
-        password,
-        client_id: clientId,
-        client_secret: clientSecret,
-        ...(audience && { audience }),
-    });
-    const res = await fetch(`https://${domain}/oauth/token`, {
-        method: "POST",
-        headers: { "Content-Type": "application/x-www-form-urlencoded" },
-        body: body.toString(),
-    });
-    if (!res.ok) {
-        const body = await res.json().catch(() => ({}));
-        throw new Error(body.error_description || body.error || `Auth failed: ${res.status}`);
-    }
-    const data = (await res.json());
-    return data;
-}
+export { exchangePasswordForToken, } from "./auth0/auth-handler.js";

package/dist/server/auth-strategies.d.ts

@@ -1,16 +1,9 @@
-/**
- * Auth strategies for A2A proxy.
- * Framework-agnostic; returns headers to add to the A2A request.
- */
-export type AuthStrategy = "session" | "client_credentials" | "resource_owner_password" | "api_key_only";
-/**
- * Get headers for A2A request based on strategy.
- * For session/bearer, the caller must pass the token (from session or Authorization header).
- */
+export type AuthStrategy = "session" | "client_credentials" | "resource_owner_password";
 export declare function getAuthHeaders(options: {
     strategy: AuthStrategy;
     bearerToken?: string;
     getSessionToken?: () => Promise<string | undefined>;
+    apiKey?: string;
 }): Promise<Record<string, string>>;
 export declare function getAuthStrategy(): AuthStrategy;
 //# sourceMappingURL=auth-strategies.d.ts.map

package/dist/server/auth-strategies.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-strategies.d.ts","sourceRoot":"","sources":["../../src/server/auth-strategies.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,YAAY,GACpB,SAAS,GACT,oBAAoB,GACpB,yBAAyB,GACzB,cAAc,CAAC;AA8CnB;;;GAGG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE;IAC5C,QAAQ,EAAE,YAAY,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;CACrD,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CA2BlC;AAED,wBAAgB,eAAe,IAAI,YAAY,CAW9C"}
+{"version":3,"file":"auth-strategies.d.ts","sourceRoot":"","sources":["../../src/server/auth-strategies.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,YAAY,GACpB,SAAS,GACT,oBAAoB,GACpB,yBAAyB,CAAC;AAO9B,wBAAsB,cAAc,CAAC,OAAO,EAAE;IAC5C,QAAQ,EAAE,YAAY,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IACpD,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CA4ClC;AAED,wBAAgB,eAAe,IAAI,YAAY,CAU9C"}

package/dist/server/auth-strategies.js

@@ -1,83 +1,59 @@
-/**
- * Auth strategies for A2A proxy.
- * Framework-agnostic; returns headers to add to the A2A request.
- */
-let m2mTokenCache = null;
-/**
- * Get Auth0 token via client credentials (M2M).
- */
-async function getClientCredentialsToken() {
-    const domain = process.env.AUTH0_DOMAIN;
-    const clientId = process.env.AUTH0_CLIENT_ID;
-    const clientSecret = process.env.AUTH0_CLIENT_SECRET;
-    const audience = process.env.AUTH0_A2A_AUDIENCE;
-    if (!domain || !clientId || !clientSecret || !audience) {
-        return undefined;
-    }
-    if (m2mTokenCache && m2mTokenCache.expiresAt > Date.now() + 60000) {
-        return m2mTokenCache.token;
-    }
-    const res = await fetch(`https://${domain}/oauth/token`, {
-        method: "POST",
-        headers: { "Content-Type": "application/x-www-form-urlencoded" },
-        body: new URLSearchParams({
-            grant_type: "client_credentials",
-            client_id: clientId,
-            client_secret: clientSecret,
-            audience,
-        }),
-    });
-    if (!res.ok) {
-        const body = await res.json().catch(() => ({}));
-        throw new Error(body.error_description || body.error || `Auth0 token failed: ${res.status}`);
-    }
-    const data = (await res.json());
-    const expiresIn = (data.expires_in ?? 86400) * 1000;
-    m2mTokenCache = {
-        token: data.access_token,
-        expiresAt: Date.now() + expiresIn,
-    };
-    return data.access_token;
+import { exchangeEntraOnBehalfOfToken } from "./entra/session-token.js";
+import { getAuth0ClientCredentialsToken } from "./auth0/client-credentials.js";
+import { getCachedAccessTokenFromEnvService } from "./env-service-token.js";
+import { getNebulasServerConfig } from "./runtime-config.js";
+function getAuthProvider() {
+    const provider = getNebulasServerConfig().authProvider;
+    return provider === "entra" ? "entra" : "auth0";
 }
-/**
- * Get headers for A2A request based on strategy.
- * For session/bearer, the caller must pass the token (from session or Authorization header).
- */
 export async function getAuthHeaders(options) {
     const headers = {};
-    const apiKey = process.env.A2A_API_KEY;
+    const apiKey = options.apiKey ?? getNebulasServerConfig().a2aApiKey;
+    if (apiKey)
+        headers["x-api-key"] = apiKey;
+    const provider = getAuthProvider();
     switch (options.strategy) {
-        case "api_key_only":
-            if (apiKey)
-                headers["x-api-key"] = apiKey;
-            break;
         case "client_credentials": {
-            const token = await getClientCredentialsToken();
+            const token = provider === "entra"
+                ? await getCachedAccessTokenFromEnvService()
+                : await getAuth0ClientCredentialsToken();
             if (token)
                 headers["Authorization"] = `Bearer ${token}`;
-            if (apiKey)
-                headers["x-api-key"] = apiKey;
             break;
         }
-        case "resource_owner_password":
         case "session": {
-            const token = options.bearerToken ?? (options.getSessionToken ? await options.getSessionToken() : undefined);
-            if (token)
+            const token = options.bearerToken ??
+                (options.getSessionToken ? await options.getSessionToken() : undefined);
+            if (token) {
+                if (provider === "entra" && options.strategy === "session") {
+                    const obo = await exchangeEntraOnBehalfOfToken(token);
+                    headers["Authorization"] = `Bearer ${obo.access_token}`;
+                }
+                else {
+                    headers["Authorization"] = `Bearer ${token}`;
+                }
+            }
+            break;
+        }
+        case "resource_owner_password": {
+            if (provider === "entra") {
+                throw new Error("A2A_AUTH_STRATEGY=resource_owner_password is Auth0-only.");
+            }
+            const token = await getCachedAccessTokenFromEnvService();
+            if (token) {
                 headers["Authorization"] = `Bearer ${token}`;
-            if (apiKey)
-                headers["x-api-key"] = apiKey;
+            }
             break;
         }
     }
     return headers;
 }
 export function getAuthStrategy() {
-    const s = process.env.A2A_AUTH_STRATEGY?.toLowerCase();
+    const s = getNebulasServerConfig().a2aAuthStrategy;
     if (s === "session" ||
         s === "client_credentials" ||
-        s === "resource_owner_password" ||
-        s === "api_key_only") {
+        s === "resource_owner_password") {
         return s;
     }
-    return "api_key_only";
+    return "session";
 }

package/dist/server/auth0/auth-handler.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Auth0 handler for Resource Owner Password flow.
+ * Exchanges username/password for Auth0 token.
+ */
+export interface ROPAuthRequest {
+    username: string;
+    password: string;
+}
+export interface ROPAuthResponse {
+    access_token: string;
+    expires_in?: number;
+}
+/**
+ * Exchange username/password for Auth0 access token.
+ */
+export declare function exchangePasswordForToken(username: string, password: string): Promise<ROPAuthResponse>;
+//# sourceMappingURL=auth-handler.d.ts.map

package/dist/server/auth0/auth-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../../../src/server/auth0/auth-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,eAAe,CAAC,CAgC1B"}

package/dist/server/auth0/auth-handler.js

@@ -0,0 +1,37 @@
+/**
+ * Auth0 handler for Resource Owner Password flow.
+ * Exchanges username/password for Auth0 token.
+ */
+import { getNebulasServerConfig } from "../runtime-config.js";
+/**
+ * Exchange username/password for Auth0 access token.
+ */
+export async function exchangePasswordForToken(username, password) {
+    const config = getNebulasServerConfig().auth0;
+    const domain = config?.domain;
+    const clientId = config?.clientId;
+    const clientSecret = config?.clientSecret;
+    const audience = config?.audience;
+    if (!domain || !clientId || !clientSecret) {
+        throw new Error("AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET required for ROP");
+    }
+    const body = new URLSearchParams({
+        grant_type: "password",
+        username,
+        password,
+        client_id: clientId,
+        client_secret: clientSecret,
+        ...(audience && { audience }),
+    });
+    const res = await fetch(`https://${domain}/oauth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: body.toString(),
+    });
+    if (!res.ok) {
+        const payload = await res.json().catch(() => ({}));
+        throw new Error(payload.error_description || payload.error || `Auth failed: ${res.status}`);
+    }
+    const data = (await res.json());
+    return data;
+}

package/dist/server/auth0/auth-strategies.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Auth strategies for A2A proxy.
+ * Framework-agnostic; returns headers to add to the A2A request.
+ */
+export type AuthStrategy = "session" | "client_credentials" | "resource_owner_password" | "api_key_only";
+/**
+ * Get headers for A2A request based on strategy.
+ * For session/bearer, the caller must pass the token (from session or Authorization header).
+ */
+export declare function getAuthHeaders(options: {
+    strategy: AuthStrategy;
+    bearerToken?: string;
+    getSessionToken?: () => Promise<string | undefined>;
+}): Promise<Record<string, string>>;
+export declare function getAuthStrategy(): AuthStrategy;
+//# sourceMappingURL=auth-strategies.d.ts.map

package/dist/server/auth0/auth-strategies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-strategies.d.ts","sourceRoot":"","sources":["../../../src/server/auth0/auth-strategies.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,YAAY,GACpB,SAAS,GACT,oBAAoB,GACpB,yBAAyB,GACzB,cAAc,CAAC;AA8CnB;;;GAGG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE;IAC5C,QAAQ,EAAE,YAAY,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;CACrD,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CA2BlC;AAED,wBAAgB,eAAe,IAAI,YAAY,CAW9C"}

package/dist/server/auth0/auth-strategies.js

@@ -0,0 +1,83 @@
+/**
+ * Auth strategies for A2A proxy.
+ * Framework-agnostic; returns headers to add to the A2A request.
+ */
+let m2mTokenCache = null;
+/**
+ * Get Auth0 token via client credentials (M2M).
+ */
+async function getClientCredentialsToken() {
+    const domain = process.env.AUTH0_DOMAIN;
+    const clientId = process.env.AUTH0_CLIENT_ID;
+    const clientSecret = process.env.AUTH0_CLIENT_SECRET;
+    const audience = process.env.AUTH0_A2A_AUDIENCE;
+    if (!domain || !clientId || !clientSecret || !audience) {
+        return undefined;
+    }
+    if (m2mTokenCache && m2mTokenCache.expiresAt > Date.now() + 60000) {
+        return m2mTokenCache.token;
+    }
+    const res = await fetch(`https://${domain}/oauth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+            grant_type: "client_credentials",
+            client_id: clientId,
+            client_secret: clientSecret,
+            audience,
+        }),
+    });
+    if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error_description || body.error || `Auth0 token failed: ${res.status}`);
+    }
+    const data = (await res.json());
+    const expiresIn = (data.expires_in ?? 86400) * 1000;
+    m2mTokenCache = {
+        token: data.access_token,
+        expiresAt: Date.now() + expiresIn,
+    };
+    return data.access_token;
+}
+/**
+ * Get headers for A2A request based on strategy.
+ * For session/bearer, the caller must pass the token (from session or Authorization header).
+ */
+export async function getAuthHeaders(options) {
+    const headers = {};
+    const apiKey = process.env.A2A_API_KEY;
+    switch (options.strategy) {
+        case "api_key_only":
+            if (apiKey)
+                headers["x-api-key"] = apiKey;
+            break;
+        case "client_credentials": {
+            const token = await getClientCredentialsToken();
+            if (token)
+                headers["Authorization"] = `Bearer ${token}`;
+            if (apiKey)
+                headers["x-api-key"] = apiKey;
+            break;
+        }
+        case "resource_owner_password":
+        case "session": {
+            const token = options.bearerToken ?? (options.getSessionToken ? await options.getSessionToken() : undefined);
+            if (token)
+                headers["Authorization"] = `Bearer ${token}`;
+            if (apiKey)
+                headers["x-api-key"] = apiKey;
+            break;
+        }
+    }
+    return headers;
+}
+export function getAuthStrategy() {
+    const s = process.env.A2A_AUTH_STRATEGY?.toLowerCase();
+    if (s === "session" ||
+        s === "client_credentials" ||
+        s === "resource_owner_password" ||
+        s === "api_key_only") {
+        return s;
+    }
+    return "api_key_only";
+}

package/dist/server/auth0/client-credentials.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Get Auth0 token via client credentials (M2M).
+ */
+export declare function getAuth0ClientCredentialsToken(): Promise<string | undefined>;
+//# sourceMappingURL=client-credentials.d.ts.map

package/dist/server/auth0/client-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-credentials.d.ts","sourceRoot":"","sources":["../../../src/server/auth0/client-credentials.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,wBAAsB,8BAA8B,IAAI,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAwClF"}

package/dist/server/auth0/client-credentials.js

@@ -0,0 +1,39 @@
+import { getNebulasServerConfig } from "../runtime-config.js";
+let m2mTokenCache = null;
+/**
+ * Get Auth0 token via client credentials (M2M).
+ */
+export async function getAuth0ClientCredentialsToken() {
+    const config = getNebulasServerConfig().auth0;
+    const domain = config?.domain;
+    const clientId = config?.clientId;
+    const clientSecret = config?.clientSecret;
+    const audience = config?.audience;
+    if (!domain || !clientId || !clientSecret || !audience) {
+        return undefined;
+    }
+    if (m2mTokenCache && m2mTokenCache.expiresAt > Date.now() + 60000) {
+        return m2mTokenCache.token;
+    }
+    const res = await fetch(`https://${domain}/oauth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+            grant_type: "client_credentials",
+            client_id: clientId,
+            client_secret: clientSecret,
+            audience,
+        }),
+    });
+    if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.error_description || body.error || `Auth0 token failed: ${res.status}`);
+    }
+    const data = (await res.json());
+    const expiresIn = (data.expires_in ?? 86400) * 1000;
+    m2mTokenCache = {
+        token: data.access_token,
+        expiresAt: Date.now() + expiresIn,
+    };
+    return data.access_token;
+}

package/dist/server/auth0/env-service-token.d.ts

@@ -0,0 +1,5 @@
+export declare function exchangeAuth0EnvServiceToken(): Promise<{
+    access_token: string;
+    expires_in?: number;
+}>;
+//# sourceMappingURL=env-service-token.d.ts.map

package/dist/server/auth0/env-service-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-service-token.d.ts","sourceRoot":"","sources":["../../../src/server/auth0/env-service-token.ts"],"names":[],"mappings":"AAGA,wBAAsB,4BAA4B,IAAI,OAAO,CAAC;IAC5D,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC,CAUD"}

package/dist/server/auth0/env-service-token.js

@@ -0,0 +1,11 @@
+import { exchangePasswordForToken } from "./auth-handler.js";
+import { getNebulasServerConfig } from "../runtime-config.js";
+export async function exchangeAuth0EnvServiceToken() {
+    const serviceUser = getNebulasServerConfig().auth0ServiceUser;
+    const username = serviceUser?.username;
+    const password = serviceUser?.password;
+    if (!username || !password) {
+        throw new Error("Auth0 service user credentials are required for service ROP token");
+    }
+    return exchangePasswordForToken(username, password);
+}

package/dist/server/config-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-handler.d.ts","sourceRoot":"","sources":["../../src/server/config-handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,MAAM,WAAW,qBAAqB;IACpC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,qBAAqB,CAAC;IACrC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,SAAS,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC;IAC7B,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,2BAA2B;IAC1C,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,kGAAkG;IAClG,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAyBD,wBAAsB,oBAAoB,CACxC,OAAO,CAAC,EAAE,2BAA2B,GACpC,OAAO,CAAC,cAAc,CAAC,CAmBzB"}
+{"version":3,"file":"config-handler.d.ts","sourceRoot":"","sources":["../../src/server/config-handler.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,WAAW,qBAAqB;IACpC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,qBAAqB,CAAC;IACrC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,SAAS,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC;IAC7B,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,2BAA2B;IAC1C,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,kGAAkG;IAClG,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AA0BD,wBAAsB,oBAAoB,CACxC,OAAO,CAAC,EAAE,2BAA2B,GACpC,OAAO,CAAC,cAAc,CAAC,CAmBzB"}

package/dist/server/config-handler.js

@@ -3,10 +3,10 @@
  * Fetches agent card from A2A_URL/.well-known/agent-card.json when A2A_URL is set.
  * Framework-agnostic; returns JSON response body.
  */
-import { nodeEnv } from "./node-env.js";
-const A2A_URL = nodeEnv("A2A_URL") || nodeEnv("NEXT_PUBLIC_A2A_URL") || "";
+import { getNebulasServerConfig } from "./runtime-config.js";
 async function fetchAgentCard(headers) {
-    const base = A2A_URL.replace(/\/$/, "");
+    const a2aUrl = getNebulasServerConfig().a2aUrl ?? "";
+    const base = a2aUrl.replace(/\/$/, "");
     if (!base)
         return null;
     const url = `${base}/.well-known/agent-card.json`;
@@ -29,7 +29,7 @@ async function fetchAgentCard(headers) {
     }
 }
 export async function createConfigResponse(options) {
-    const nebulasProjectId = nodeEnv("NEBULAS_PROJECT_ID") ?? null;
+    const nebulasProjectId = getNebulasServerConfig().nebulasProjectId ?? null;
     const includeAgentCard = options?.includeAgentCard !== false;
     if (!includeAgentCard) {
         return {

package/dist/server/entra/env-service-token.d.ts

@@ -0,0 +1,5 @@
+export declare function exchangeEntraClientCredentialsToken(): Promise<{
+    access_token: string;
+    expires_in?: number;
+}>;
+//# sourceMappingURL=env-service-token.d.ts.map